We use cookies to help us improve our webpage. Please read our Cookie Policy .

AS-2022-006: Netatalk

2022-05-06

Severity

Important

Status

Resolved


Statement

The Netatalk development team disclosed multiple fixed vulnerabilities affecting earlier versions of the software on the latest release of Netatalk 3.1.13: CVE-2021-31439, CVE-2022-23121, CVE-2022-23122, CVE-2022-23123, CVE-2022-23124, CVE-2022-23125 and CVE-2022-0194.

Netatalk 3.1.13 has been updated on ADM 4.0.5.RT42 and ADM 3.5.9.RT42 to resolve these issues.


Affected Products

Product Severity Fixed Release Availability
ADM 4.0 Important Upgrade to 4.0.5.RT42 or above.
ADM 3.5 Important Upgrade to 3.5.9.RT42 or above.

Mitigation

Netatalk provides file access through AFP (Apple Filing Protocol) on ADM. AFP service has been disabled by default since ADM 4.0. We recommend using SMB protocol instead when connecting from macOS.

For ASUSTOR NAS not yet upgraded to ADM 3.5.9.RT42 or above, administrators can disable AFP service to mitigate the specific vulnerabilities. In environments where AFP is still needed, setting up firewall rules to only allow trusted clients to connect over AFP (port 548) can be used as temporary mitigation.


Detail

  • CVE-2021-31439
    • Severity: Important
    • This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Synology DiskStation Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of DSI structures in Netatalk. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-12326.
  • CVE-2022-23121, CVE-2022-23122, CVE-2022-23123, CVE-2022-23124, CVE-2022-23125, CVE-2022-0194
    • Severity: Important
    • ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Reference


Revision

Revision Date Description
1 2022-04-26 Initial public release.
2 2022-05-05 Update mitigation information.
3 2022-05-06 Release ADM 4.0.5.RT42 and ADM 3.5.9.RT42 to update Netatalk version for fixing the issues.